PROCESSING OF SPECIAL INFORMATION
Special personal information is information that relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject.
It also includes criminal behaviour relating to the alleged commissions of an offence, or any proceeding dealing with alleged offences.
Examples of special personal information include medical records, biometric records obtained for access control, pre-employment medical questionnaire or examinations, various drug or alcohol test results, sick leave records, pre-employment screening records relating to criminal convictions, police clearances, COVID test results and screening, trade union membership records and race or ethnic origin records in training plans.
You are only allowed to process the special information of a data subject where a general or specific authorisation applies.
General authorisations for the processing of special personal information
You are allowed to process the special information of a person where:
- consent of the data subject has been obtained
- processing is necessary for the establishment, exercise or defence of a right or obligation in law
- processing is necessary to enable compliance with an obligation of International Public Law
- processing is for historical, statistical or research purposes, subject to stipulated safeguards
- the data subject has deliberately made the information public
- where specific authorisation has been obtained
In these instances, you will have to be able to prove the basis on which you are doing the processing.
REGULATORY CONSENT
Where you intend processing special personal information for any other reason, you will have to apply for consent from the Information Regulator.
Consent may be given if the processing is in the public interest and you have appropriate safeguards in place to protect the personal information of the data subjects, and it may also be subject to conditions imposed by the Regulator.
You also have to obtain pre-authorisation from the Information Regulator where you intend on transferring special personal information to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72. This is more fully described in the Chapter on “Pre-Authorisation”
SPECIFIC AUTHORISATIONS FOR PROCESSING SPECIAL PERSONAL INFORMATION
RELIGIOUS OR PHILOSOPHICAL BELIEFS
Processing of this type of special personal information is allowed when done by spiritual or religious organisations in respect of their members or is necessary to achieve their aims and principles.
It is also permitted by institutions founded on religious or philosophical principles in respect of their members or employees or other persons belonging to the institution, where the processing is necessary to achieve the institution’s aims and principles.
For other institutions, processing special personal information relating to religious or philosophical beliefs is allowed to protect the spiritual welfare of the data subjects, unless the data subject objects.
This type of special information may not be shared with any third party without the data subject’s explicit consent.
RACE OR ETHNIC ORIGIN
You are permitted to process the race or ethnic origin of persons where this is:
- Essential to identify the person
- Necessary to comply with laws designed to protect or advance previously disadvantaged persons
TRADE UNION MEMBERSHIP
Trade unions can process the special information relating to trade union membership of their members, where this is necessary to achieve the aims of the trade union or trade union federation.
No personal information may be supplied to third parties without the explicit consent of the data subject.
POLITICAL PERSUASION
There will have to be a good reason to process the political persuasion of a person if you are not a political party or an institution founded on political principles.
This type of information may not be shared with a 3rd party without the data subject’s explicit consent.
HEALTH OR SEX LIFE
Processing personal information concerning a data subject’s health or sex life, is permitted by medical professionals, healthcare institutions or facilities, or social services, if this is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned.
It is also allowed by insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, where the processing is necessary for:
- assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing
- the performance of an insurance or medical scheme agreement
- the enforcement of any contractual rights and obligations
Where you are an administrative body, pension fund, employer or an institutions working for one of these, you may collect and process information relating to the health or sex life of persons where this is necessary to comply with applicable laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject.
You may also process this information where it is necessary for the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity, such as Workman’s Compensation.
Schools may process this type of information only where it is to provide special support for pupils or making special arrangements in connection with their health or sex life.
If an organisation manages the care of children, it is allowed to process this type of special information if the processing is necessary for the performance of its lawful duties.
Public bodies who process this information may do so where it is in connection with the implementation of prison sentences or detention measures.
It is important to note that where the health or sex life of a person is processed, that confidentiality is essential in terms of POPI. This means that where you process this type of information, that you will have to ensure that there are measures and safeguards implemented to protect the confidentiality of the information. Information of this nature must only be shared where this is required by law or where you have the necessary consent.
Confidentiality can be required by virtue of office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject.
It must be noted here that where any other type of special information mis required to be processed to supplement the processing of personal information concerning a data subject’s health with a view to the proper treatment or care of the data subject, then this is permitted.
Personal information concerning inherited characteristics may not be processed unless this is for a serious medical interest or the processing is necessary for historical, statistical or research activity.
Biometric information may be processed by bodies who are legally responsible for applying criminal law.
You are permitted to process biometric information where you have legally obtained this. This may be because you have obtained the person’s consent, for example.
Where you process biometric information of staff, this must be done according to the 8 processing principles as well as any applicable labour legislation. Make sure you know what applies here.
Where you are required to process any other type of special information to supplement the processing of biometric information, this is permitted.
CRIMINAL BEHAVIOUR
Criminal behaviour information may be processed by bodies who are legally responsible for applying criminal law.
You are permitted to process criminal information where you have legally obtained this. For example, there are certain industries which have specific legal rules in respect of appointing persons with criminal records, and where this is the case, you need to be aware of what the requirements are.
The Child Act, for example, has specific rules in respect of persons who may not be permitted to work with children. These include persons who have been convicted of crimes, or attempted crimes relating to children, such as murder, rape, indecent assault, assault with the intent to do grievous bodily harm, possession of child pornography or human trafficking.
In certain financial services roles, there is an obligation to check whether a person who is going to be appointed to these roles has any criminal history relating to fraud or money laundering or similar financial crime.
In both these instances, there is a legal obligation to check the criminal history of the person and ensure that they are suitable for the position.
Where you do process criminal information of staff, you must comply with applicable labour legislation. Make sure you know what this is.
Where you are required to process any other type of special information aside from criminal history, to supplement the processing of the criminal information, this is permitted.
WHAT MUST YOU DO?
Identify whether you process special information, and if so, where and how and why.
Make sure that any processing is done only as permitted and that you have proper safeguards in place. Ensure that you are able to motivate the reasons for the processing you do.
Identify where you may require regulatory consent or pre-authorisation for processing this type of information and ensure it is in place.
Ensure you comply with labour legislation where you process the special information of staff.
PROCESSING CHILDREN’S PERSONAL INFORMATION
Children’s information is processed on a daily basis for many different purposes, for example, access control into premises and COVID screening, CCTV monitoring, where children are beneficiaries on an insurance contract, for medical purposes, when providing digital services, and where children are consumers of educational products, applications and games.
POPI recognises that children are vulnerable, and so there is a general prohibition against processing children’s personal information without appropriate authorisation. The provision is intended to give parents and other competent persons control over sensitive and private information collected from children and how this information is used and shared.
In South Africa, important legislation to be aware of includes the Children’s Act 38 of 2005. In terms of this act, a “child” means a person under the age of 18 years.
The definition of “child” according to POPI, means “a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself”.
Before processing children’s information, it is important that a thorough risk assessment is conducted, considering the potential consequences for both the organisation and the child should the data be breached. The higher the risk, the more effort and expense will be required.
First prize is always to obtain the child’s information directly from the parent or guardian. That way, the act of handing over the information doubles as permission to use it, as long as the parent is aware of what the information will be used for.
In all matters concerning the care, protection and wellbeing of a child, the standard that the child’s best interest is of paramount importance must be applied. There are a number of risk factors to consider when processing a child’s personal information, including the risk that a child may be targeted for harmful purposes by a person who definitely doesn’t have his or her best interests at heart.
Special care should be taken where:
- The child’s personal information is going to be disclosed to a third
- If the child’s details is going to be used for marketing
- If the information is going to be made
- If the child’s image is going to be used on a website which is open to the
Processing the personal information of children is prohibited unless one of the following justifications are present:
COMPETENT PERSON CAN CONSENT TO THE PROCESSING.
A competent person is defined as “any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.” In most instances, this will be a parent or guardian, however this is not always the case. There are exceptions in South African law where the consent of a parent or guardian may be replaced by the consent of another party, for example, a medical practitioner in the instance where an underage girl requests an abortion.
There are also situations where a child is considered to be a “competent” person in terms of legislation. An example of this would be where a child is permitted to open a bank account at age 16. The processing of a child’s personal information for this purpose can be seen as being authorised by virtue of legislation conferring the right on the child.
NECESSARY FOR THE ESTABLISHMENT, EXERCISE OR DEFENCE OF A RIGHT OR OBLIGATION IN LAW (INCLUDING INTERNATIONAL PUBLIC LAW)
Processing children’s information is permitted where this is required to protect or defend a child’s legal right or obligation.
HISTORICAL, STATISTICAL OR RESEARCH PURPOSES
This provision applies if the processing services a public interest and it is impossible (or would require a disproportionate effort) to ask for consent from a competent person.
The business would also need to provide sufficient guarantees that the privacy of child is not disproportionately affected. In such instances, risk can be avoided by de-identifying the information.
CHILD DELIBERATELY MADE THE INFORMATION PUBLIC WITH THE CONSENT OF A COMPETENT PERSON
The prohibition does not apply if the child deliberately made the personal information public with the consent of a parent, guardian or other competent person. Where this provision is relied upon, it is important to be able to prove the consent, which should be express, explicit and informed.
REGULATORY CONSENT
You may request permission from the Information Regulator to process children’s information for some other reason, who may grant the permission if in this is in the public interest, and you have sufficient safeguards in place in respect of the information.
Where you obtain regulatory consent, this may be subject to certain conditions. These conditions can include how you provide a competent person [such as a parent or guardian] access to review the information you process or refuse to allow further processing.
Further conditions could prescribe how you provide notice regarding the nature of the personal information of children that is processed, how the information is processed and any further processing practices.
There may also be provisions which ensure that you refrain from any action that is intended to encourage or persuade a child to disclose more personal information about him- or herself than is reasonably necessary.
You also have to obtain pre-authorisation from the Information Regulator where you intend on transferring children’s personal information to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72. This is more fully described in the section on “Pre-Authorisation”
WHAT MUST YOU DO?
Identify whether you process children’s information, and if so, where and how. Make sure that any processing of children’s information is done only as permitted and that you have proper safeguards in place.
Ensure that you are able to motivate the reasons for the processing you do.
Website terms and conditions which contain provisions such as: “You must be 18 years of age or older to make use of our services/our website. If you are under 18 years of age, you must have your parent or guardian’s consent” may not be sufficient, particularly in cases where no attempts are made to ascertain the age of the consumer, or the term is hidden in general terms and conditions. The information being collected and processed should be risk assessed and measures implemented to address the level of risk.
Take special care for example, when children are visiting an organisation and information is collected or processed, for example by way of CCTV. There should be no identifying information, and even school clothes or banners could pose a risk. Ensure that there are proper visitor protocols, full disclosure and visitors should understand the organisation’s policy.
Identify where you may require regulatory consent or pre-authorisation for processing this type of information and ensure it is in place.
PRIOR AUTHORISATION
There are a number of instances where you require the prior authorisation of the Information Regulator before you are allowed to process personal information. The pre-authorisation only needs to be obtained once, and not each time that personal information is received or processed, except where the processing is different to that which has been authorised.
It is important to mention here that with the transitional arrangements, these types of processing may continue without pre-notification to the Regulatory until the Regulator notifies otherwise.
It is also important to mention that the requirements for pre-authorisation will not apply if a code of conduct has been issued and is in force in terms of Chapter 7 of POPI in a specific sector or sectors of society.
REGULATORY NOTIFICATION
Where you anticipate processing any information which requires pre-authorisation, you have the responsibility to notify the Information Regulator of this before you do any processing.
The Regulator must provide you with written notification within 4 weeks of receiving your notification as to whether or not it will conduct a more detailed investigation.
Where the Regulator decides to conduct a more detailed investigation, it must indicate the period within which it plans to conduct this investigation. This may not exceed 13 weeks. The Regulator must then issue a statement concerning the lawfulness of the processing.
You are not allowed to go ahead with the processing until the Regulator has completed its investigation or until you have received notice that a more detailed investigation will not be conducted.
Where you do not receive the Regulator’s decision within the required timeframes, you may presume that a decision has been made in your favour, and you may proceed with the processing.
Where the Regulator issues a statement which notes the anticipated processing as not being lawful, this is deemed to be an enforcement notice.
If you do not obtain the required pre-authorisation but process the information anyway, you will be guilty of an offence and liable to a penalty.
Pre-Authorisation is required for the following:
UNIQUE IDENTIFIERS
Pre-authorisation is required where you intend to process any unique identifiers of data subjects for a purpose which is different to the one when you initially collected the information, and where you aim to link the information together with information processed by other responsible parties.
A “unique identifier” is “any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.”
In other words, it is something that uniquely identifies a person. There are a number of examples of “unique identifiers” which when used by themselves do not necessarily distinguish a data subject, but when used in conjunction with other information provides unique identification, for example:
- Identity number
- Insurance Policy number
- Online Identifier
- Location data
- Personal tax number
- Photograph when used together with a name and surname
You will need to be able to identify where this is going to happen, and if so, ensure that you follow the right process.
CRIMINAL BEHAVIOUR OR BAD CONDUCT
You must obtain pre-authorisation from the Information Regulator where you intend to process information on criminal behaviour or on unlawful or objectionable conduct on behalf of a third party.
You will need to be able to identify where this is going to happen, and if so, ensure that you follow the right process.
CREDIT REPORTING
You must obtain pre-authorisation from the Information Regulator where you intend to process information for the purposes of credit reporting.
You will need to be able to identify where this is going to happen, and if so, ensure that you follow the right process.
TRANSFER SPECIAL OR CHILDRENS INFORMATION
You must obtain pre-authorisation from the Information Regulator where you intend to transfer special personal information, or children’s personal information to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
You will need to be able to identify where this is going to happen, and if so, ensure that you follow the right process.